Active Directory Federation Services (ADFS) has become increasingly popular in the last few years. As a penetration tester, I'm seeing organizations opening themselves up to attacks on ADFS endpoints across the Internet. Manually completing attacks against these endpoints can be tedious. The current native Microsoft management tools are handy, but what if we weaponized them. During this talk, I will show you how to identify domains that support ADFS, confirm email addresses for users of the domain, and help you guess passwords for those users. We'll cover how you can set up your own hosted ADFS domain (on the cheap), and use it to attack other federated domains. On top of that, we'll show you how you can wrap all of the native functionality with PowerShell to automate your attacks. This talk should give penetration testers an overview on how they can start leveraging ADFS endpoints during a penetration test.

Karl is a Managing Consultant with NetSPI who specializes in network and web application penetration testing. With over eight years of consulting experience in the computer security industry, he has worked in a variety of industries and has made his way through many Active Directory domains. Karl also holds a BS in Computer Science from the University of Minnesota. This year, he has spent a fair amount of time digging into the Skype for Business APIs. Prior to that, Karl has helped build out and maintain NetSPI's GPU cracking boxes. Karl holds a couple of certifications, that is neat. Karl has previously spoken at THOTCON, BSidesMSP, Secure360, and AppSec California. In his spare time, you may see him trying to sell you a t-shirt as a swag goon at DEF CON.